Disable WebAuthn on Windows/Python 3.10+

the current version of ctap-keychain-device doesn't support Python 3.10+ on Windows. We're losing WebAuthn functionality on that platform, but this makes it possible to install gimme-aws-creds
Nike-Inc · May 8, 2024 · 234be53 · 234be53
1 parent 763ae83
commit 234be53
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 3 deletions.
diff --git a/gimme_aws_creds/dummy_webauthn.py b/gimme_aws_creds/dummy_webauthn.py
@@ -0,0 +1,60 @@
+"""
+Copyright 2024-present Nike, Inc.
+Licensed under the Apache License, Version 2.0 (the "License");
+You may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and* limitations under the License.*
+"""
+
+
+from . import errors
+
+class FakeAssertion(object):
+    def __init__(self):
+        self.signature = b'fake'
+        self.auth_data = b'fake'
+
+
+class WebAuthnClient(object):
+    """ Dummy WebAuthnClient class - needed until ctap-keyring-device is updated to support Python 3.10+ on Windows"""
+    def __init__(self, ui, okta_org_url, challenge, credential_id=None, timeout_ms=30_000):
+        return None
+
+    def locate_device(self):
+        return None
+
+    def on_keepalive(self, status):
+        return None
+
+    def verify(self):
+        raise errors.GimmeAWSCredsError(
+                "WebAuthn devices not supported on this platform", 2
+            )
+
+    def _verify(self, client):
+        return None
+
+    def make_credential(self, user):
+        raise errors.GimmeAWSCredsError(
+                "WebAuthn devices not supported on this platform", 2
+            )
+
+    def _make_credential(self, client, user):
+        return None
+
+    def _run_in_thread(self, method, *args, **kwargs):
+        return None
+
+    def _get_pin_from_client(self, client):
+        raise errors.GimmeAWSCredsError(
+                "WebAuthn devices not supported on this platform", 2
+            )
+    @staticmethod
+    def _get_user_verification_requirement_from_client(client):
+        raise errors.GimmeAWSCredsError(
+                "WebAuthn devices not supported on this platform", 2
+            )
diff --git a/gimme_aws_creds/okta_classic.py b/gimme_aws_creds/okta_classic.py
@@ -10,6 +10,7 @@
 See the License for the specific language governing permissions and* limitations under the License.*
 """
 import base64
+import sys
 import copy
 import re
 import socket
@@ -30,13 +31,20 @@
 from requests.adapters import HTTPAdapter, Retry
 
 from gimme_aws_creds.u2f import FactorU2F
-from gimme_aws_creds.webauthn import WebAuthnClient, FakeAssertion
+
+# avoid importing ctap-keyring-device on Windows until it supports Python 3.10+
+if sys.platform == "win32" and sys.version_info >= (3, 10):
+    from gimme_aws_creds.dummy_webauthn import WebAuthnClient, FakeAssertion
+else:
+    from gimme_aws_creds.webauthn import WebAuthnClient, FakeAssertion
+
 from . import errors, ui, version, duo
 from .duo_universal import OktaDuoUniversal
 from .errors import GimmeAWSCredsMFAEnrollStatus
 from .registered_authenticators import RegisteredAuthenticators
 
 
+
 class OktaClassicClient(object):
     """
        The Okta Client Class performs the necessary API
@@ -622,7 +630,11 @@ def _login_multi_factor(self, state_token, login_data):
         elif factor['factorType'] == 'u2f':
             return self._login_input_webauthn_challenge(state_token, factor)
         elif factor['factorType'] == 'webauthn':
-            return self._login_input_webauthn_challenge(state_token, factor)
+            # Block webauthn until ctap-kering-device is updated to support Python 3.10+ on Windows
+            if sys.platform == "win32" and sys.version_info >= (3, 10):
+                raise errors.GimmeAWSCredsError("WebAuthn devices not supported on this platform", 2)
+            else:
+                return self._login_input_webauthn_challenge(state_token, factor)
         elif factor['factorType'] == 'token:hardware':
             return self._login_input_mfa_challenge(state_token, factor['_links']['verify']['href'])
         elif factor['factorType'] == 'claims_provider':

diff --git a/requirements.txt b/requirements.txt
@@ -4,7 +4,7 @@ keyring>=21.4.0
 requests>=2.25.0,<3.0.0
 fido2>=0.9.1,<0.10.0
 okta>=2.9.0,<3.0.0
-ctap-keyring-device==1.0.6
+ctap-keyring-device==1.0.6; sys_platform == "win32" and python_version < "3.10"
 pyjwt>=2.4.0,<3.0.0
 urllib3>=1.26.0,<2.0.0
 html5lib>=1.1,<2.0.0